Data Processing and Security Exhibit

This Data Processing and Security Exhibit (“Exhibit”) supplement your Agreement regarding your access to and use of any of COMPLY’s SaaS and/or Professional Services offerings, as applicable, and sets forth the confidentiality, non-disclosure and security requirements for Private Information subject to Applicable Data Protection Law.

As used herein, the terms “you” and “your” refer to the legal entity represented on your Order Schedule, or any other ordering document accepted by us for your order of our Services (each an “Order Schedule”).  Further, any references to terms such as “we,” “our,” “us,” “ComplySci” and “COMPLY” will mean the COMPLY™ entity described in your Agreement references these Additional Terms. You may not access or use our Services if you are a competitor, or for the purposes of monitoring availability, performance, or functionality, or for any other benchmarking or competitive purposes.

1. Definitions

Unless defined in the Agreement, all capitalized terms used in this Exhibit shall have the meanings given to them below:

1.1 Agreement: means the written agreement between us and you for the provision of certain Services to which this Exhibit is attached.

1.2 Applicable Data Protection Law: means the following data protection laws: (i) EU Regulation 2016/679 (“GDPR”), where the Controller is established in a European Economic Area (“EEA”) member state or is otherwise subject to GDPR; (ii) the UK Data Protection Act 2018 (“UK GDPR”); (iii) the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. along with its implementing regulations, any amendments or replacements to it from time to time (including the California Privacy Rights Act of 2020) (collectively, the “CCPA”) and any data protection laws substantially amending, replacing or superseding  GDPR, UK GDPR, and/or CCPA, as applicable.

1.3 Controller: has the meaning given under GDPR and UK GDPR.  For the purposes herein, you are the Controller.

1.4 Data Subject: means an individual who is the subject of Personal Data.

1.5 Exhibit: means this Data Processing and Security Exhibit.

1.6 Party: means either you or us, and “Parties” means, collectively, you and us.

1.7 Personal Data: means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.8 Processor: has the meaning given under GDPR and UK GDPR. For the purposes herein, we are a Processor and references to Processor refer to us.

1.9 Processing: means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.10 Processor Group: means Processor and any entity which controls, is controlled by, or is under common control with, Processor.

1.11 Service(s): means the products and services contracted by you and made available by us pursuant to the Agreement.

1.12 Service Data: means electronic data, or other materials submitted to and stored within the Service by Controller, its Agents and End-Users, in connection with Controller’s use of such Service, including, without limitation, Personal Data.

1.13 Sub-processor: means any third-party data processor engaged by Processor, including entities from the Processor Group, who receives Personal Data from Processor for processing on behalf of Controller and in accordance with Controller’s instructions (as communicated by Processor) and the terms of its written subcontract.

1.14 Supervisor: means any Data Protection Supervisory Authority with competence over Controller’s and Processor’s Processing of Personal Data.

In addition to the above, any other capitalized terms used but not defined in this Exhibit shall have the meaning set forth in the Agreement.

2. Purpose

2.1 You and we have entered the Agreement pursuant to which you are provided a subscription to access and use the Service. In providing the Service, we will engage on behalf of you, in the Processing of Personal Data submitted to and stored within the Service by you or third parties with whom Controller transacts using the Service.

3. Ownership of Your Data

3.1 As between the Parties, all Service Data Processed under the terms of this Exhibit and the Agreement shall remain the property of Controller. Under no circumstances will Processor act, or be deemed to act, as a “controller” (or equivalent concept) of the Service Data Processed within the Service under any Applicable Data Protection Law.

4. Obligations of the Processor

4.1 The Parties agree that the subject-matter and duration of Processing performed by Processor under this Exhibit, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be described in Section 13 of this Exhibit and in the Agreement.

4.2 As part of Processor providing the Service to Controller under the Agreement, Processor agrees and declares as follows:

(i) to process Personal Data in accordance with Controller’s documented instructions as set out in the Agreement and this Exhibit or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Processor shall inform Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);

(ii) to ensure that all staff and management of any member of the Processor Group are fully aware of their responsibilities to protect Personal Data in accordance with this Exhibit and have committed themselves to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality;

(iii) to implement and maintain appropriate technical and organizational measures to protect Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (a “Data Security Breach”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected;

(iv) to notify Controller, without undue delay and as set forth in the Agreement, in the event of a confirmed Data Security Breach affecting Controller’s Service Data and to cooperate with Controller as necessary to mitigate or remediate the Data Security Breach, and to promptly provide Controller with the information required Applicable Data Protection Laws, to the extent available to Processor;

(v) to comply with the requirements of Section 5 (Use of Sub-processor) when engaging a Sub-processor;

(vi) taking into account the nature of the Processing, to assist Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfill Controller’s obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a “Data Subject Request”). In the event Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Controller in the first instance. However, in the event Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Processor, Processor, shall, at Controller’s request and at Controller’s reasonable expense, address the Data Subject Request, as required under the Applicable data Protection Law;

(vii) upon request, to provide Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Processor, to help Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;

(viii) upon termination of Controller’s access to and use of the Service, to comply with the requirements of Section 9 (Return and Destruction of Personal Data);

(ix) to comply with the requirements of Section 6 (Audit) in order to make available to Controller information that demonstrates Processor’s compliance with this Exhibit; and

(x) to appoint an individual who will act as a point of contact for Controller, and coordinate and control compliance with this Exhibit, including the Security Standards detailed in Section 12 hereunder.

4.3 Processor shall immediately inform Controller if, in its opinion, Controller’s Processing instructions infringe any laws or regulation. In such event, Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

5. Use of Sub-Processors

5.1 Controller agrees that Processor may engage Sub-processors through written agreements to assist it in providing the Service and Processing Personal Data provided that such Sub-processors:

(i) agree to act only on Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Controller’s Processing instructions to Processor); and

(ii) agree to protect the Personal Data to a standard consistent with the requirements of this Exhibit, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with the Security Standards described in Section 11 hereunder.

(iii) where Processor contracts with any Sub-processor to Process Personal Data outside the EEA, United Kingdom, or Switzerland, Processor and Processor and its Sub-processor shall execute the EU Commission’s Standard Contract Clauses (“EU SCCs”) (using module 3 for “Processor-to-Processor” transfers) implementing Decision EU 2021/914 of 4 June 2021, as amended by the International Data Transfer Addendum to the SCCs version B.1.0 (“UK IDTA”) issued by the United Kingdom’s Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 for transfers from the United Kingdom.

5.2 Processor shall remain liable to Controller for any Processing of Service Date by its direct or indirect Sub-processors under this Exhibit. Processor shall maintain an up-to-date list of the names and location of all Sub-processors used for the Processing of Personal Data under this Exhibit. In the event Controller objects in good faith to the Processing of its Personal Data by any newly appointed Sub-processor, as described in this section 5.2, it shall immediately inform Processor of its reasons for such objection.  Controller and Processor will use reasonable efforts to determine a way of addressing Controller’s objection without adversely impacting the Processor’s ability to deliver the Services.  If Processor determines that it cannot accommodate Controller’s good faith objection, Processor shall notify Controller of such determination.  Upon receipt of such notice, Controller may terminate the Agreement without penalty or liability (other than for fees due and owing to Processor for Services performed prior to such termination) such termination which shall be effective immediately upon written notice to Processor; provided the foregoing right of termination shall expire ten (10) days from Processor’s notice of such determination.  Processor shall, within thirty (30) days of its receipt of such termination notice from Controller, refund Controller the unused prorated portion of any prepaid fees for the period following the effective date of termination.

5.3 Controller understands that, for the convenience of Controller, certain Services delivered by Processor may include URLs, links, or other means for connecting to websites controlled by third party (“Third Party Sites”). Controller further understands that its enablement, access to and use of such Third Party Sites is governed solely by the terms and conditions and privacy policies of the third parties that operate such Third Party Sites.  Processor disclaims (a) any endorsement, representations, and/or warranties regarding the Third Party Sites including, without limitation, the content or manner in which they handle any data (including personal data) Controller elects to share with such Third Party Sites (whether directly or indirectly through the Services), and (b) any responsibility or liability for any damage, harm, or loss caused or alleged to be caused by or in connection with Controller’s enablement, access or use of any such Third Party Sites, and/or Controller’s reliance on the privacy practices, data security processes or other policies of such Third Party Sites. For the avoidance of doubt, Third Party Sites are not and shall not be deemed Sub-processors for any purpose under this Exhibit.

6. Audits

6.1 The Parties acknowledge that Processor uses and relies upon third party auditors to verify the adequacy of its security measures related to the Services, including the security of the physical data centers from which Processor Processes Personal Data. Such audits:

(i) will be performed at least annually;

(ii) will be performed according to industry standards;

(iii) will be performed by independent third party security professionals at Processor’s selection and expense; and

(iv) will result in the generation of an audit report affirming that Processor’s data security controls achieve prevailing industry standards (e.g., a SOC1, SOC2 or similar report).

6.2 Processor shall provide responsive and detailed information to Controller’s requests for information (including any requests by Controller under instruction from Data Subjects), which may include responses to relevant information security and audit questionnaires.

6.3 At Controller’s written request, Processor will provide Controller with a confidential summary of the Report (“Summary Report”) so that Controller can reasonably verify Processor’s compliance with the security and audit obligations under this Exhibit. The Summary Report will constitute Processor’s Confidential Information under the confidentiality provisions of the Agreement.

6.4 In the event that Sections 6.1 and 6.2 are not sufficient to respond to a Supervisor under GDPR, or as otherwise expressly required by Applicable Data Protection Laws, Processor shall allow for and contribute to audits, including inspections, conducted by Controller or a third party mutually agreed by Processor and Controller, at Controller’s sole and exclusive cost and expense, solely for the purposes of validating Processor’s compliance with Applicable Data Protection Laws.

7. International Data Exports

7.1 Controller acknowledges that Processor and its Sub-processors may maintain data processing operations in counties that are outside of the EEA, the United Kingdom, and Switzerland. As such, both Processor and its Sub-processors may Process Personal Data outside of the EEA, the United Kingdom, and Switzerland. This will apply even where Controller has agreed with Processor to host Personal Data in the EEA, United Kingdom, and/or Switzerland if such Processing is necessary to provide support-related or other services requested by Controller.

7.2 Where Processor, either directly or indirectly, Processes Personal Data via onward transfer (a) from the EEA or Switzerland, Controller and Processor agree that such Processing shall be subject to EU SCCs (using module 2 for “Controller-to-Processor” transfers) located at: www.complysci.com/comply-eu-sccs-0323.pdf  and incorporated by this reference, and (b) where such transfers are from the United Kingdom, such EU SCCs shall be amended by the UK IDTA located at: www.complysci.com/comply-uk-idta-0323.pdf and incorporated by this reference.

8. Obligations of the Controller

As part of Controller receiving the Service under the Agreement, Controller agrees and declares as follows:

8.1 It is solely responsible for the accuracy of Personal Data and the means by which such Personal Data is acquired and the Processing of Personal Data by Controller, including instructing Processing by Processor in accordance with this Exhibit and for the purposes of provision of the Service, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Law, particularly with respect to the security, protection and disclosure of Personal Data;

8.2 That if Processing by Processor involves any “special” or “sensitive” categories of Personal Data (as defined under Applicable Data Protection law), Controller has collected such Personal Data in accordance with Applicable Data Protection Law;

8.3 The Controller will inform its Data Subjects:

(i) about its use of Processors to Process their Personal Data, including the Processor; and

(ii) that their Personal Data may be Processed outside of the EEA, United Kingdom, or Switzerland;

8.4 that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by Controller, and to give appropriate instructions to Processor in a timely manner; and

8.5 that it shall respond in a reasonable time to enquiries from a Supervisor regarding the Processing of relevant Personal Data by Controller.

9. CCPA Compliance

9.1 With respect to any “personal information” (as defined in the CCPA) provided by you (“Personal Information”) and Processed by us pursuant to the Agreement, such Processing shall be subject to the CCPA.  We shall act as a “service provider” (as defined under CCPA) to you with respect to such Processing.

9.2 We agree not to use, Share (as defined in the CCPA), or Sell (as defined in the CCPA) any Personal Information (including such Personal Information pertaining to your Authorized Users) other than to provide the Services, as authorized by the Agreement, within the direct business relationship between the Parties.

9.3 We will not Sell (as defined in the CCPA) any Personal Information (including such Personal Information pertaining to your Authorized Users).

9.4 The Parties acknowledge and agree that the provision of any Services by us to you are for your Business Purposes.

9.5 We will direct any individual requesting to exercise their rights under the CCPA to submit their request directly to you by contacting you.

9.6 We shall comply with our applicable obligations under the CCPA and provide the level of privacy protection for Personal Information as is required under the CCPA.

9.7 You shall have the right to take reasonable and appropriate steps to: (i) ensure that the Personal Information transferred to us is used by us in a manner that is consistent with the CCPA; and (ii) stop and remediate any unauthorized use by us of Personal information; and, we agree to reasonably co-operate with you exercise of the aforementioned rights.

9.8 We shall promptly notify you in writing if at any time we makes a determination that we can no longer meet our obligations regarding CCPA compliance under this Exhibit.

10. Return and Destruction of Your Data

10.1 Upon termination of the Services and/or the Agreement, whichever comes earlier, and otherwise in compliance with Applicable Data Protection Law, Processor shall be permitted to delete from Controller’s production environment for the Services, all copies of the Service Data stored or Processed by Processor on behalf of Controller.

11. Duration

11.1 This Exhibit will remain in force as long as Processor Processes Personal Data on behalf of Controller under the Agreement.

12. Security Standards

12.1 As of the Effective Date of the Agreement, we, when Processing Personal Data on behalf of you in connection with the Service, shall implement and maintain the following technical and organizational security measures for the Processing of such Personal Data (“Security Standards”):

(i) Physical Access Controls: We shall take reasonable measures to prevent physical access, such as secured buildings and premises, to prevent unauthorized persons from gaining access to Personal Data, or ensure Third Parties operating data centers on its behalf are adhering to such controls.

(ii) System Access Controls: We shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or logging of access on several levels.

(iii) Data Access Controls: We shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege to access; and that Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.

(iv) Transmission Controls: We shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

(v) Input Controls: We shall take reasonable measures to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed. We shall take reasonable measures to ensure that (i) the Personal data source is under the control of you; and (ii) Personal Data integrated into the Platform is managed by secured transmission from you.

(vi) Data Backup: Back-ups of the databases in the Platform are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss when hosted by us.

(vii) Logical Separation: Data from different our subscriber environments is logically segregated on our systems to ensure that Personal Data that is collected for different purposes may be processed separately.

13. GDPR Service Data Information

Last Updated: March 2, 2023